HiddenWasp executes an initial script to implement the malware. The hidden script uses a user called ‘sftp’ and cleans the system to remove previous versions of malware in case the device is already infected.
Then, it downloads a storage file from the server containing all the components, including the rootkit and the Trojan. The script adds the Trojan to /etc/rc.local so that it works even after the user reboots the system.
Once installed, the attacker can take remote control of the infected terminal and execute code, upload files, download more scripts… According to their analysis, the researchers explained that this malware is spread in systems which are previously controlled by hackers, so it would be used as a secondary load.
The HiddenWasp developers have taken advantage of Open Source multi-malware code, such as Mirai and the Azazel rootkit. It resembles different families of threats from China, but its authorship and origin are still unclear.
You will find more information and a technical analysis of this malware at Intezer Blog.